Updates to Salesforce normally happen silently and with limited disruption for users. However, from February 2022 Salesforce are making a big change that will affect all users with multi-factor authentication becoming required. The good news is that it will ultimately help keep your Salesforce data more secure, which is particularly important for charities using the platform to store sensitive information about beneficiaries and donors.
Multi-factor authentication (MFA) means that at least two pieces of information (or factors) are needed for users to log in. To provide additional security these pieces need to come from different places (so username and password don't count as two pieces!).
MFA is gradually becoming the norm, with more and more platforms either encouraging it or actively enforcing it. The simple reason for this is that it makes it much harder for user accounts to be compromised and data breaches to occur.
As part of this trend some platforms are becoming stricter about what type of factors can be used. Sending codes by SMS or email is acknowledged to be one of the weakest forms of MFA, so Salesforce are getting rid of these options altogether in favour of pushing users towards using a more secure authenticator app to generate a code.
Your Salesforce users will no longer be able to log in with just their username and password from the 1st February 2022. They'll need to provide a second piece of information. There are no exceptions to this so as an organisation you'll have to ensure all staff are in a position to be able to do this.
There are a couple of different ways to provide this information but the simplest method and the one we are recommending is for users to have the Salesforce Authenticator app installed on a device they have access to. This will allow them to easily generate time-limited access codes at the point they log in.
We know that sometimes sharing user accounts is a thing that some charities do. At Impact Box we always discourage this from a security perspective, but the introduction of MFA will likely kill off this practice completely because it won't be viable to share access codes in the same way that it was with email verification.
It's worth noting that this only applies to log ins via the user interface so if you've got existing integrations between Salesforce and other systems (via Zapier or FormAssembly, for example) they should not be impacted by the change.
To ensure the change is as smooth as possible for your users we recommend the following:
Ensure you have the right equipment. If you are going to use the Salesforce Authenticator app check that everyone who needs it has a suitable device that can run the app.
Test it with a subset of users. Identify a few users to test MFA with and selectively enable it for them. This will be a good way of checking the devices you are expecting people to use are up to the job. You can selectively enable MFA using a Permission Set as outlined here.
Be ahead of schedule with everyone. Don't wait until 1st February for the change to happen and let it catch the rest of your users by surprise. Identify a date before that when you are going to optionally enable it for all users and plan for that date. If you can do this on a day when people are in the same place so you can provide some in-person training and be available to troubleshoot then you'll be less likely to encounter issues.
If you have questions about the upcoming multi-factor authentication change or want to find out how other organisations are preparing you can join our online community for charities using the Salesforce platform. It's completely free to join and everyone is welcome!